Prototype Pollution
Description
The nconf package before 0.11.4 allows prototype pollution via the memory engine's .set() function, enabling attackers to modify Object.prototype properties.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The nconf package before 0.11.4 allows prototype pollution via the memory engine's .set() function, enabling attackers to modify Object.prototype properties.
Vulnerability
The nconf package before version 0.11.4 is vulnerable to Prototype Pollution when using the memory engine [1][2]. The .set() function, responsible for setting configuration properties, does not adequately sanitize user-supplied property names, allowing an attacker to supply a crafted property such as __proto__ or constructor.prototype to pollute the Object prototype [2][4].
Exploitation
An attacker can exploit this vulnerability by calling the .set() function with a malicious property path that targets the object's prototype (e.g., nconf.set('__proto__.polluted', 'true')) [2][4]. No authentication is required if the attacker can control the input to .set(); however, exploitation typically requires the attacker to have some means of injecting the crafted key-value pair into the configuration process [2].
Impact
Successful prototype pollution can lead to the modification of properties on Object.prototype, which are inherited by all JavaScript objects in the application [4]. This can result in denial of service (e.g., by polluting a property that causes exceptions) or potentially remote code execution if the polluted property influences application behavior in a dangerous way [4]. The scope of impact depends on the application's usage of the polluted properties.
Mitigation
The vulnerability is fixed in nconf version 0.11.4, released on 2020-10-19 [1][3]. The fix was implemented in pull request #397, which sanitizes keys passed to the memory engine's .set() function [3]. Users should upgrade to 0.11.4 or later. There is no known workaround for earlier versions [2].
- GitHub - indexzero/nconf: Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
- NVD - CVE-2022-21803
- fix(security): prevent prototype pollution in memory store by mhamann · Pull Request #397 · indexzero/nconf
- Snyk Vulnerability Database | Snyk
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nconfnpm | < 0.11.4 | 0.11.4 |
Affected products
2- nconf/nconfdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-6xwr-q98w-rvg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21803ghsaADVISORY
- github.com/indexzero/nconf/pull/397ghsax_refsource_MISCWEB
- github.com/indexzero/nconf/releases/tag/v0.11.4ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-NCONF-2395478ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.